Issue 1081913003: Route OCSP stapling through CertVerifier.

Issue 1081913003: Route OCSP stapling through CertVerifier. (Closed)

Created:
5 years, 8 months ago by davidben

Modified:
5 years, 7 months ago

Reviewers:
Sergey Ulanov, Roger Tawa OOO till Jul 10th, Ryan Sleevi, pneubeck (no reviews)

CC:
chromium-reviews, zea+watch_chromium.org, stevenjb+watch_chromium.org, oshima+watch_chromium.org, davemoore+watch_chromium.org, cbentzel+watch_chromium.org

Base URL:
https://chromium.googlesource.com/chromium/src.git@boringnss

Target Ref:
refs/pending/heads/master

Project:
chromium

Visibility:
Public.

More Reviews

Description

Route OCSP stapling through CertVerifier. This moves the platform-specific OCSP stapling code out of SSLClientSocket, which enables OCSP stapling on the chimera build. It'll also make it easier to support OCSP stapling on OS X, where a stapled OCSP response is a property of the certificate verification (as it should be) and not the certificate. BUG=430714, 479034 Committed: https://crrev.com/15f5713c41825ea900cd6dc4f6de4a6d3fff538d Cr-Commit-Position: refs/heads/master@{#327070}

Patch Set 1 #

Total comments: 2

Patch Set 2 : fix remoting, move ocsp stapling lower on windows #

Patch Set 3 : split remoting fix out separately #

Total comments: 12

Patch Set 4 : rebase #

Patch Set 5 : sleevi comments #

Patch Set 6 : missed one #

Patch Set 7 : CertVerifier::Default #

Patch Set 8 : missed another spot #

Patch Set 9 : typo #

Patch Set 10 : more cros fix #

Patch Set 11 : yet another CrOS-only Verify call #

Created: 5 years, 8 months ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+369 lines, -426 lines)			Patch
M	chrome/browser/chromeos/net/cert_verify_proc_chromeos.h	View	1 2 3 4 5 6 7	1 chunk	+1 line, -0 lines	0 comments	Download
M	chrome/browser/chromeos/net/cert_verify_proc_chromeos.cc	View	1 2 3 4 5 6 7	2 chunks	+3 lines, -6 lines	0 comments	Download
M	chrome/browser/chromeos/net/cert_verify_proc_chromeos_unittest.cc	View	1 2 3 4 5 6 7 8 9	1 chunk	+3 lines, -6 lines	0 comments	Download
M	chrome/browser/chromeos/policy/policy_cert_verifier.h	View		2 chunks	+3 lines, -0 lines	0 comments	Download
M	chrome/browser/chromeos/policy/policy_cert_verifier.cc	View	1 2 3 4 5 6 7 8	3 chunks	+9 lines, -2 lines	0 comments	Download
M	chrome/browser/chromeos/policy/policy_cert_verifier_browsertest.cc	View	1 2 3 4 5 6 7 8 9 10	1 chunk	+3 lines, -7 lines	0 comments	Download
M	google_apis/gcm/tools/mcs_probe.cc	View	1 2 3 4 5	1 chunk	+1 line, -0 lines	0 comments	Download
M	net/cert/cert_verifier.h	View		3 chunks	+6 lines, -0 lines	0 comments	Download
M	net/cert/cert_verifier.cc	View	1 2 3 4 5 6	1 chunk	+15 lines, -0 lines	0 comments	Download
M	net/cert/cert_verify_proc.h	View	1 2 3 4 5	4 chunks	+9 lines, -0 lines	0 comments	Download
M	net/cert/cert_verify_proc.cc	View		2 chunks	+2 lines, -1 line	0 comments	Download
M	net/cert/cert_verify_proc_android.h	View		2 chunks	+2 lines, -0 lines	0 comments	Download
M	net/cert/cert_verify_proc_android.cc	View		1 chunk	+5 lines, -0 lines	0 comments	Download
M	net/cert/cert_verify_proc_mac.h	View		2 chunks	+2 lines, -0 lines	0 comments	Download
M	net/cert/cert_verify_proc_mac.cc	View	1 2 3 4 5	1 chunk	+7 lines, -0 lines	0 comments	Download
M	net/cert/cert_verify_proc_nss.h	View	1 2 3 4	3 chunks	+14 lines, -0 lines	0 comments	Download
M	net/cert/cert_verify_proc_nss.cc	View	1 2 3 4	5 chunks	+39 lines, -5 lines	0 comments	Download
M	net/cert/cert_verify_proc_openssl.h	View		2 chunks	+2 lines, -0 lines	0 comments	Download
M	net/cert/cert_verify_proc_openssl.cc	View		1 chunk	+5 lines, -0 lines	0 comments	Download
M	net/cert/cert_verify_proc_unittest.cc	View	1 2 3 4 5	4 chunks	+4 lines, -1 line	0 comments	Download
M	net/cert/cert_verify_proc_win.h	View		2 chunks	+2 lines, -0 lines	0 comments	Download
M	net/cert/cert_verify_proc_win.cc	View	1 2 3 4	2 chunks	+22 lines, -0 lines	0 comments	Download
M	net/cert/mock_cert_verifier.h	View		1 chunk	+1 line, -0 lines	0 comments	Download
M	net/cert/mock_cert_verifier.cc	View		1 chunk	+1 line, -0 lines	0 comments	Download
M	net/cert/multi_threaded_cert_verifier.h	View		4 chunks	+5 lines, -0 lines	0 comments	Download
M	net/cert/multi_threaded_cert_verifier.cc	View	1 2 3 4 5	12 chunks	+34 lines, -31 lines	0 comments	Download
M	net/cert/multi_threaded_cert_verifier_unittest.cc	View		13 chunks	+94 lines, -135 lines	0 comments	Download
M	net/cert/nss_cert_database_unittest.cc	View	1 2 3 4 5	13 chunks	+35 lines, -78 lines	0 comments	Download
M	net/cert/single_request_cert_verifier.h	View		1 chunk	+1 line, -0 lines	0 comments	Download
M	net/cert/single_request_cert_verifier.cc	View		2 chunks	+2 lines, -1 line	0 comments	Download
M	net/cert/test_root_certs_unittest.cc	View		3 chunks	+9 lines, -18 lines	0 comments	Download
M	net/cert_net/nss_ocsp_unittest.cc	View	1 2 3 4 5	1 chunk	+3 lines, -8 lines	0 comments	Download
M	net/quic/crypto/proof_verifier_chromium.cc	View		1 chunk	+6 lines, -9 lines	0 comments	Download
M	net/socket/ssl_client_socket_nss.cc	View	1 2 3	5 chunks	+5 lines, -71 lines	0 comments	Download
M	net/socket/ssl_client_socket_openssl.cc	View	1 2 3	6 chunks	+13 lines, -47 lines	0 comments	Download
M	remoting/protocol/ssl_hmac_channel_authenticator.cc	View	1 2 3 4 5	1 chunk	+1 line, -0 lines	0 comments	Download

Messages

Total messages: 19 (5 generated)

Expand Messages | Collapse Messages | Show Generated Messages | Hide Generated Messages

Ryan Sleevi

Looks like remoting might be supplying a NULL certverifier in violation of the "expected" API. ...

5 years, 8 months ago (2015-04-22 22:53:37 UTC) #2

davidben

Dealt with remoting being silly in https://codereview.chromium.org/1103603003/ and rebased on top of it. https://codereview.chromium.org/1081913003/diff/1/net/cert/cert_verify_proc_win.cc File ...

5 years, 8 months ago (2015-04-23 01:02:33 UTC) #3

Ryan Sleevi

This LGTM, but the caveat is that I think the CertVerifier solution is short-term correct ...

5 years, 8 months ago (2015-04-23 01:41:23 UTC) #4

davidben

Rebased on top of new remoting CL which fixes their null CertVerifier https://codereview.chromium.org/1081913003/diff/40001/net/cert/cert_verify_proc_nss.cc File net/cert/cert_verify_proc_nss.cc ...

5 years, 8 months ago (2015-04-23 20:41:47 UTC) #5

davidben

+pneubeck for chrome/browser/chromeos/policy +rogerta for google_apis

5 years, 8 months ago (2015-04-24 21:49:45 UTC) #7

davidben

And +sergeyu for remoting Also, Ryan, PTAL at the new changes to net/cert/cert_verifier.cc in case ...

5 years, 8 months ago (2015-04-24 23:20:09 UTC) #9

Ryan Sleevi

On 2015/04/24 23:20:09, David Benjamin (OOO sick) wrote: > - Having a CertVerifier::CreateDefault API is ...

5 years, 8 months ago (2015-04-24 23:29:13 UTC) #10

davidben

On 2015/04/24 23:29:13, Ryan Sleevi wrote: > On 2015/04/24 23:20:09, David Benjamin (OOO sick) wrote: ...

5 years, 8 months ago (2015-04-24 23:36:54 UTC) #12

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1081913003/200001

5 years, 7 months ago (2015-04-27 16:09:22 UTC) #17

commit-bot: I haz the power

5 years, 7 months ago (2015-04-27 18:09:43 UTC) #19

Message was sent while issue was closed.

Patchset 11 (id:??) landed as
https://crrev.com/15f5713c41825ea900cd6dc4f6de4a6d3fff538d
Cr-Commit-Position: refs/heads/master@{#327070}

Expand Messages | Collapse Messages | Show Generated Messages | Hide Generated Messages